Musings on Digital Identity

Archive for August, 2009

Many of us share a vision of an Internet where people can have authorities that they trust make verified claims about themselves in contexts that they choose. For instance, using an identity that can issue “age-18-or-over” or “age-21-or-over” claims for me may enable me to utilize services at a site accepting those claims from that issuer that might otherwise be closed to me. More specialized interoperable verified claims, such as “coppa-certified-adult”, are also possible, and may open other doors for me. Before another month goes by, I wanted to draw attention to two new Information Cards that have been issued that represent progress in making this vision for interoperable verified claims a reality.

Privacy Vaults Online (a.k.a. Privo) launched a Privo parent card that can make the claim that the person has been certified as an adult using a method that satisfies the US COPPA regulations. Indeed, this is the “coppa-certified-adult” claim referenced above, and is defined in the ICF Claims Catalog so that others can use it as well. The Privo card also broke new ground in utilizing a “verification-method” claim, so that the relying party can tell how the information was verified, and the “verified-claims” method, so the relying party can tell which claims were verified. It also offers the same “age-18-or-over” claim that the Equifax card does. See the press release for more information, including sites where you can use your Privo card.

Acxiom issued the Acxiom Identity Card, which a person can use to make verified name and address claims about them self online. It also makes a new ICF-defined claim “icam-assurance-level-1” asserting that “the security token is issued according to the requirements of the U.S. federal Identity Credential and Access Management (ICAM) Assurance Level 1”. See the press release for more information about the Acxiom card.

I’m writing to thank the Burton Group for sponsoring the federation interop demonstration at the 2009 Catalyst Conference in San Diego. As you can see from the logos, they attracted an impressive set of interop participants. It was great working with the knowledgeable and enthusiastic colleagues from other companies to assure that our products will work together for our customers.

Microsoft demonstrated SAML 2.0 interoperation using our forthcoming Active Directory Federation Services 2.0 product (no, it’s not named “Geneva” Server anymore). We federated both to and from numerous other implementations. For instance, those attending in person got to watch yours truly demonstrate using AD FS 2.0 to log into SalesForce.com and WebEx, among other scenarios.

But why write about this now, one might ask? Isn’t the interop done? Not necessarily! In fact, one of the cool things about online interops is that the participants can continue testing well after “the event” is over. For instance, we’ve done some WS-Federation testing with participants since Catalyst, as well as just invited participants to re-test with a more recent drop of our server bits if they’d like to.

Finally, I’d be remiss if I didn’t thank the Eternal Optimist herself for doing the work to enable the Catalyst interop to be hosted the OSIS wiki. Doing the interop online with public endpoint information helped the work go as smoothly as possible.

In October, Microsoft announced that Windows Live IDs would also be OpenIDs. Today the Live ID team published an analysis of what we have learned in operating the Community Technology Preview (CTP) release of our OpenID provider. The post is well worth read and covers, among other things, lessons learned about aliasing and namespaces, having multiple ways to reach the same functionality, and explaining things to users. Enjoy!